Cybersecurity czar dodges questions over IT security

Cyber security has been a hot item on the UK government agenda in the last few years. Francis Maude of the Cabinet Office is the minister in charge. So if anyone was looking for answers in this area, his…

Author

Senior Lecturer, School of Computing and Director of Interdisciplinary Cyber Security Centre at University of Kent

Disclosure Statement

Eerke Boiten is a senior lecturer in the School of Computing at the University of Kent, and Director of the University's interdisciplinary Centre for Cyber Security Research. He receives funding from EPSRC for the CryptoForma Network of Excellence on Cryptography and Formal Methods.

Cyber security has been a hot item on the UK government agenda in the last few years. Francis Maude of the Cabinet Office is the minister in charge. So if anyone was looking for answers in this area, his department would be an obvious place to send questions to, wouldn’t it? However, when Maude became so fed up with government IT that he brought his own wifi router to work, the ensuing questions appeared a bit too close to home.

A Freedom of Information request was submitted to the department in October last year asking for information about Maude’s personal wifi plans and the wider security policies in place at the Cabinet Office.

But answer came there none. The Information Commissioner’s Office (ICO) has been forced to step in over the department’s failure to answer the questions posed in the FoI request.

The BYOD conundrum

It has been estimated that 62% of UK adults now own a smartphone, with the overwhelming majority carrying it with them at all times, including at work. Sometimes we are asked to use our personal devices for work purposes and sometimes the temptation to use them instead of, or in addition to, computers provided at work, is too strong. This Bring Your Own Device (BYOD) culture leads to all kinds of problems.

This includes losing control of the data contained in your device, be it commercial or personal, as well as the possibility of introducing malware into your organisation.

The risks associated with personal information held by the organisation are sufficiently serious to have attracted the attention of the ICO, which is in charge of enforcing data protection legislation.

In March 2013, the ICO found that nearly half of UK workers used their own devices for work purposes, but fewer than three in ten organisations provided BYOD guidelines to staff. It has since released guidelines for organisations to ensure data protection in the context of BYOD.

The crucial advice is that if there is a security breach, the organisation needs to be able to prove that its data remains secured and can be deleted from devices if the need arises. The common solution is mobile device management. This software makes it possible to send updates to mobile devices to stop vulnerabilities, and allows users to remotely lock or wipe devices if they are stolen. Another option is to use separate networks for corporate and “outsider” devices including those owned by staff.

Safe in the Cabinet?

Understandably, there were some incredulous reactions last autumn when it was reported that Maude had brought in his own wifi router in order to get his smartphone and tablet to work in the office.

This was running ahead of a more structural solution to clunky Whitehall IT infrastructure. He has been planning to install a separate hardware infrastructure for the Cabinet Office to allow staff to work using phones and tablets as of April 2014.

Few workers go so far as to bring in their own wifi infrastructure, but the security implications are similar, if not more serious.
Remember, a rogue wifi router had also been a crucial component in the Barclays and Santander cyber-robberies which hit the press around the same time.

Questions were raised about the Cabinet Office’s BYOD policy and any security risk analysis that might have taken place in advance of Maude installing a router, many of which could have been answered if the department had provided the information asked for in the October FoI request.

By responding to this FoI request and the broader media furore, the Cabinet Office had an opportunity to take a necessary lead in BYOD cybersecurity advice. But it has so far failed to do so. And as it stands, Maude’s Cyber Security Strategy makes no mention of risks from the inside, let alone those arising from BYOD. This is despite the recommendation that the government should “raise awareness amongst businesses of the threat and actions that they can take to protect themselves”.

There is evidently some work going on in the Cabinet Office on BYOD, relating in particular to the Public Services Network which provides integrated secure services for government bodies. This even has its own FAQ on the topic. So BYOD is clearly on the radar.

Maude’s behaviour is not unusual. “Shadow IT” is a well-known phenomenon. Taking short cuts around corporate installations and procedures should not just be dismissed as irresponsible behaviour. It also indicates a strong need to improve usability – and security measures are often a case in point. Opportunistic as it may have seemed, Maude’s installation of a router should also be seen in this context.

The trouble is, Maude and his team are dealing with highly sensitive information on a daily basis so having clear policies about devices and security is a must. And in his role as cyber security czar, we should expect him to lead by example.

The Cabinet’s Office response to the FoI request could have gone beyond embarrassing admissions. It could have related Maude’s wifi installation to weaknesses in its draft BYOD policy and then proudly presented a new policy that addresses these weaknesses.

It could have said that protecting against deliberate or accidental insider security vulnerabilities, such as those that may arise through BYOD, is an essential part of cybersecurity policy and will be a part of the government’s Cyber Essentials campaign, which aims to help organisations deal with these problems.

The opportunity was missed, though. Earlier this month, the ICO served a Decision Notice on the Cabinet Office, for failing to provide any response to the FoI request beyond the initial acknowledgement. The department now has until 12 May to get its house in order and respond.